Market Guide for Privileged Account Management

Transcription

1 G Market Guide for Privileged Account Management Published: 17 June 2014 Analyst(s): Felix Gaehtgens, Anmol Singh Establishing controls around privileged access continues to be a focus of attention for organizations and auditors. Security leaders must be prepared to address the inventory, classification and use of privileged accounts. A thriving market provides many options for tools to help with these tasks. Key Findings The PAM market continues to see strong growth across the board. New players are entering the market. Pricing for PAM products remains highly variable. Many vendors in the space are supplementing their offerings through partnerships and aggressive development of new functionality. Monitoring and auditing capabilities, advanced features for hypervisor and cloud infrastructure support, and behavioral analysis tools are differentiators for products. The banking and securities segment remains, by far, the largest consumer of PAM products and services, followed by government and IT services. Recommendations Do not overlook nonhuman service and application accounts. They are major sources of operational and security risk. Scrutinize vendor offerings for completeness of fulfilling requirements during your product selection. There are large variations in pricings, features and add-on modules offered by vendors. Evaluate your capabilities to create and maintain SUPM policies before making investments in SUPM tools that implement fine-grained command control.

2 Compare mixed offerings from multiple vendors against comprehensive suites. Individual components can be coupled, and can sometimes offer a more suitable solution at a lower price than a suite offering. Strategic Planning Assumption By 2016, 75% of SAPM vendors will offer full AAPM functionality either bundled or as a separate option, up from 50% today. Market Definition Privileged account management (PAM) technologies help organizations protect critical assets and meet compliance requirements by securing, managing and monitoring privileged accounts and access. PAM tools offer one or more of these features: Providing secured, centralized and automated management of passwords for administrative, service and application accounts, as well as enforcement of password policies. Controlling access to shared accounts. Managing and monitoring privileged sessions, commands and actions in real-time through overthe-shoulder surveillance, recording them and allowing them to be audited. Controlling and filtering commands or actions an administrator can execute. Providing capabilities to govern and administrate administrative access. Maintaining a comprehensive view of privileged accounts and their usage in the IT environment through dashboards and reporting. Integrating with existing IT service management (ITSM) systems and change management workflows for tighter control of administrative access. The tools apply to administrative access spanning a wide range of systems and infrastructure from accounts on operating systems, databases, middleware and applications to network devices, and SaaS applications. Although the major focus is on managing privileged access, PAM tools also are used for managing shared access to nonadministrative shared accounts (some organizations are using them to put controls around access to shared social networking accounts used for marketing purposes). Accounts used by nonhuman users, such as services or applications whether of administrative nature or not also are usually in scope. Interest in PAM technology has risen sharply during the past year, driven by several factors: Page 2 of 27 Gartner, Inc. G

3 Regulation and failed audits, because auditors are paying closer attention to privileged accounts, and regulations are forcing organizations to create an irrefutable trail of evidence for privileged access. The risk of insider threats. The existence of malware that specifically targets privileged accounts. Outsourcing of IT operations to contractors and external vendors who gain extended and, in many cases, uninterrupted access to sensitive information and critical corporate assets. IT service providers that manage infrastructure for multiple enterprises, creating a need for audit trails of who is accessing which client's infrastructure. Market Direction The market for PAM technology is thriving. True to the saying that "a rising tide lifts all boats," every PAM vendor's revenue is growing. Gartner has estimated the vendor revenue for PAM licenses, hosting, support and maintenance reached $450 million in 2013, up from $325 million in 2012 (see the Appendix section). The market remains competitive, and Gartner expects a consolidation of features through partnerships and active development of competitive features, specifically: Cloud and Hypervisor: As organizations continue to take up virtualization and cloud infrastructure, PAM tools are expected to continue to build out features to discover and manage infrastructure: Automated discovery and enrolment of hypervisor guests and infrastructure as a service (IaaS) instances Fine-grained authorization of infrastructure management operations (who can create/ modify/delete/start/stop individual instances) An evolving angle will be cost management. The creation of virtual infrastructure in an IaaS environment can have large financial consequences. Because virtual infrastructure is often managed via APIs, super user privilege management (SUPM) gateway solutions for IaaS management that can place fine-grained limitations on infrastructure management (such as how many new instances may be created, or what the maximum cost of an operation may be) are slowly gaining traction. Xceedium is currently in a trailblazer position, and CyberArk also has announced support for Amazon Web Services (AWS) infrastructure privilege management. Privileged Usage Analytics: Some vendors are focusing on behavioral analytics to detect unusual usage patterns that could be an indicator of abuse by insiders or of advanced targeted attacks. This ranges from monitoring shared account access toward access to high-risk applications. Almost all PAM tools can send detailed usage data and events toward a security information and event management (SIEM) system, but some vendors (such as CyberArk) go even further and implement a closed loop where additional data from SIEM systems is Gartner, Inc. G Page 3 of 27

4 consumed for further analytics. We expect this trend to continue, and to see other vendors building out their analytics and detective control features. Analytics based on analysis of privilege usage behavior could also help in the creation and maintenance of SUPM policies, whitelists and blacklists which is difficult and not welladdressed by PAM tools. However, this is not currently offered by vendors. Multitenancy: Several vendors have indicated a strong uptake for PAM tools by managed service providers and cloud infrastructure operators. These organizations require multitenancy features within PAM tools, and several vendors are differentiating themselves by catering to this demand. Given the lucrative nature of these deals, Gartner expects most vendors without multitenancy features to catch up by Autodiscovery: Most organizations face challenges with the scattered and hidden nature of service and application credentials especially the latter, which may be hardcoded in scripts and application code, or stored in configuration files. Many vendors provide account autodiscovery features that help organizations to identify and manage privileged and service accounts. Systems and applications are periodically scanned for newly provisioned/created accounts, and are brought under management. However, these features are not 100% reliable, and cannot discover every account. Other measures are needed to identify accounts that may not be caught by autodiscovery features (see "How to Manage Authentication and Credentials for Software Accounts"). Privileged Identity Governance and Administration: The need to certify and manage privileged access is causing some vendors to integrate their PAM offerings with identity governance and administration (IGA) products in some cases, from the same vendor. Market Analysis Vendor Categories Vendors of PAM solutions have offerings in at least one of these categories: Shared account password management (SAPM) Privileged session management (PSM) Superuser privilege management (SUPM) Application-to-application password management (AAPM) Active Directory (AD) bridging tools SAPM Solutions that fall into this category will provide an encrypted and hardened password safe or vault for storing credentials, keys and other secret information. Passwords of administrative, shared and service accounts are managed by changing them at configurable intervals (even, if desired, after Page 4 of 27 Gartner, Inc. G

5 every use) according to definable policies. Reconciliation features verify that passwords have not been changed through any other mechanism, and password history is available to support restores from earlier backups. SAPM products will control access to shared accounts, allowing authorized users to access them. Ideally, these users will not see the actual passwords. Instead, SAPM products are often tightly coupled with PSM functions or products that will automatically initiate sessions without disclosing credentials. This is to comply with the imperative that passwords for shared accounts must not be shared, because this can lead to uncontrolled access (see "Ten Best Practices for Managing Privileged Accounts"). Where this is not possible or practical, passwords can be disclosed to the user by placing them into the clipboard or copy buffer, or even displaying them followed by an optional automated password reset as soon as the current password's use has concluded. Administrative access can be associated with additional workflow approvals and/or higher trust authentication methods. An irrefutable audit trail is kept that documents all privileged account use. In addition to granting access, SAPM tools often implement workflow features for administrative users to request access, and authorized approvers to grant this access. In some cases this can also be automated by including external data sources service desk tickets that contain change control authorizations or incident reports that document outages or anomalies that need to be rectified. Most products integrate with ITSM systems or provide APIs to validate administrative access requests by cross-checking them with information from ITSM systems. SAPM products, by themselves or in combination with AAPM tools, also manage passwords and other credentials for nonhuman access, such as service or application accounts. These are accounts used by automated services or applications for accessing other applications, data or systems (see "How to Manage Authentication and Credentials for Software Accounts"). PSM Gartner defines PSM as implementing these features: Session establishment and control Session recording (for later analysis), and real-time monitoring (for real-time surveillance) In some cases, PSM modules or products implement only one of these features. For example, in SUPM systems that do not control the sessions of regular users but start recording the session as soon as privilege elevation happens (such as in the situation when a user attempts to execute a command with elevated privileges). In other cases especially in PSM modules integrated with SAPM systems the automatic establishment of privileged sessions happens as part of the credential check-out process. A session is initiated using a well-known protocol (SSH, RDP, ICA, VNC, HTTPS, X11), and the user is automatically logged in. Typically, credential injection happens at this time, leading to the authorized administrator being logged in automatically without revealing the password. The majority of vendors of PSM modules use a gateway, or proxy approach. With this approach, all traffic passes through one or more control points. Another approach is to initiate direct connections from Gartner, Inc. G Page 5 of 27

6 the administrator's workstation to the target systems, and to inject credentials into the session on the workstation using a local control. This is a fixed, preinstalled agent, or through a dynamic microagent that is used only for that particular session, and automatically pushed to the workstation on demand (for example, via ActiveX). Session recording and transcription is another important aspect of PSM. Features range from a simple searchable key or input/output (I/O) logging to over-the-shoulder videorecording of graphical sessions. For the latter, real differentiators are found in session playback functionality. The most basic PSM systems will support only a 1:1 playback of the entire session. If an administrator paused for 10 minutes, then the 10-minute pause will also be on the video. More-advanced playback features allow automatic skipping forward and backward, based on user activity. Higher-end monitoring features will transcribe sessions into searchable metadata for all events that can be gathered from the session protocol (such as applications executed, windows opened, text types), or even full optical character recognition (OCR) scanning of the entire graphical session. Another important aspect of PSM is session monitoring and alerting in real time. This allows for live monitoring of privileged sessions by administrators or managers, who can intervene or even terminate the session if necessary. This feature is also known as "dual control." A few vendors also provide capabilities to analyze privilege sessions in real-time and generate alerts or notifications (via , text messages or Simple Network Management Protocol [SNMP]) when a suspicious behavior is detected. SUPM SUPM tools work by allowing certain commands to be run under elevated privileges, or by restricting commands that can be executed. A common example of a classical SUPM tool is the "sudo" command on many Unix and Linux systems, or the "runas" command for Microsoft Windows. These commands allow a user to run a command under the privilege level of another user (typically of an administrator or superuser). Several SUPM vendors work at the shell level by shipping replacements of a shell, or the "sudo" command on Unix and Linux systems that integrate with a centralized policy service. In those cases, SUPM tools can log privileged commands or shell sessions. Other approaches to SUPM are to limit (filter) commands that can be run under elevated privileges. This can happen, in order of granularity from coarse to fine: On a protocol level (via a gateway or proxy) At a shell level At kernel level (in order of granularity) The granularity at the kernel level is the highest, allowing control at a very fine level, but at a higher cost of administration. On the other end, protocol-level filtering is easiest to implement and maintain, but does not offer the same reliability or granularity. Context-sensitive command filtering allows SUPM tools to control access based on predefined contextual attributes such as network, access client and program, time and location of access, etc. Page 6 of 27 Gartner, Inc. G

7 AAPM AAPM tools are add-ons to SAPM tools, and are used to eliminate hard-coded passwords or credentials stored in configuration files. Credentials are pulled from the vault using a proprietary interface provided by the PAM vendor. These interfaces are usually in the form of APIs, software developer kits (SDKs) and command line interfaces (CLIs), and require applications or scripts to be modified. The modification is usually simple; however, testing must happen for every application modified, which places a considerable burden on organizations (see "Adopt a Strategy to Deal With Service and Software Account Passwords"). AAPM provides functions to pull credentials from the vault; therefore, a trusted session must be established between the application or script and the vault. Differentiators exist in how this session trust is established. In its simplest form, this requires the application to authenticate to the vault with a certificate or another credential. This really does not solve the issue, but, instead, pushes the problem from one side to the other substituting one stored credential (the original hard-coded or stored credential) with another one (the new credential required to authenticate to the vault). For purposes of differentiation, Gartner does not consider this mechanism to be full AAPM. Full AAPM tools will recognize an application or script, rather than authenticating it, by taking multiple factors into account and, thereby, completely eliminating the stored credentials. Examples of these are the "fingerprints" of the application or script and its configuration files, the host on which it runs, the user ID that started it, the directory from where it runs, a one-time password (OTP) value that changes after every invocation, etc. AAPM software that eliminates hard-coded and unencrypted stored credentials altogether embraces the most secure form of delivering credentials to applications or scripts. AD Bridging Tools AD bridging tools extend Active Directory toward Unix and Linux systems. This allows users and groups defined in Active Directory to be recognized and log into those Unix and Linux systems that have an appropriate AD bridging agent installed. These tools also sometimes extend the coverage of some AD group policy objects (GPOs) toward Unix and Linux. While AD bridging tools by themselves are not strictly PAM tools, they are often sold and used in combination with SUPM tools (usually, but not by necessity, from the same vendor). This combined use can eliminate, or at least drastically reduce, the requirement for shared accounts. Pricing PAM vendors offer vastly diverse pricing models. These are based on varying metrics from number of privileged users, managed target systems and accounts, number of simultaneous sessions to delivery options (physical or virtual appliance, SaaS) as well as deployment types (host- or gateway-based). Some vendors bundle functionality together, others sell different modules separately. Several vendors also offer different metrics for features like SAPM, SUPM, AAPM, PSM or AD bridging sometimes one module is based on a per-privileges user basis, and another one is based on a per-managed target system basis. Gartner advises potential customers to shop around, because there is a large variation in pricing. Gartner, Inc. G Page 7 of 27

8 Representative Vendors The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to provide more understanding of the market and its offerings. Figure 1 presents the representative vendors and their key features. Figure 1. Representative Vendors and Their Key Features Source: Gartner (June 2014) Here's how Gartner defines functionality across PAM segments: SAPM: Enforcement of password policy, password vaulting and automatic changing/ randomizing of privileged accounts. Enforcement of controls around access to those accounts. Workflow capabilities. Tools that can provide single sign-on (SSO) access to administrative Page 8 of 27 Gartner, Inc. G

9 accounts without actually managing passwords or enforcing password policies have partial functionality. SUPM: Full functionality of command control functionality is delivered by tools that can enforce filtering of commands on a shell level or kernel level. Tools that can filter commands based on session interception through a proxy or gateway have partial functionality. PSM: Full solution will support complete session management, as well as logging/monitoring supporting of at least Telnet, SSH and RDP protocols, as well as intelligent playback functionality. AAPM: Full solution will offer APIs for applications to pull passwords from the vault, and eliminate any need to store credentials or private keys, as well as eliminate the need for applications to authenticate to the vault by recognizing them instead. AD Bridge: Extension of users, groups and some GPOs from Microsoft Active Directory to Unix and Linux. Key differentiators for PAM solutions are shown based on these definitions (see Figure 2): Hypervisors: Automatic discovery and optional enrollment of infrastructure within hypervisors. Autodiscovery: Full capability indicates the automatic discovery of administrative or service accounts in Windows, and potentially across other operating systems and applications. Partial capability indicates the use of IGA connectors or to use indirect discovery by querying other information sources. Multitenancy: Specific features to allow use of the same PAM platform by multiple different parties in complete isolation, all managing a different set of credentials. Privileged Analytics: Behavioral analytics of administrative access. Session Transcription: Analysis of privileged sessions and generation of searchable textual metadata that documents what was done by an administrator during the session. Partial capability will make text-based sessions (SSH) searchable, and will transcribe metadata from the RDP protocol. Full capability will go beyond these features to use OCR features, or use local agents to further enrich the generated metadata. Advanced Cloud: Specific features to either autodiscover cloud infrastructure or to offer finegrained management of IaaS and PaaS administrative operations. Out-of-the-Box ITSM Integration: Existing out-of-the-box integration with ITSM systems not just an API that can be harnessed to integrate those systems manually; the latter is provided by virtually every SAPM product. Gartner, Inc. G Page 9 of 27

10 Figure 2. Representative Vendors and Their Key Differentiators OOB = out of the box Source: Gartner (June 2014) Here's how Gartner defines PAM market share segments: Small: Less than $10 million Medium: Between $10 million and $50 million Large: Greater than $50 million Page 10 of 27 Gartner, Inc. G

11 Arcon Solution Brief: Arcon risk control solutions offers Arcos PAM Suite, which features SAPM, AAPM, SUPM and PSM capabilities under one umbrella: SAPM and AAPM Arcos PAM offers password vaulting, an API for password retrieval by applications/scripts, automated password reset and synchronization for application-toapplication or service accounts on a variety of platforms via its Privilege Password Manager (PPM) module. SUPM Offers command control and privilege management on a variety of operating systems and databases via an access control engine and ready-to-use whitelist/blacklist controls. PSM Provides session recording (keystrokes and screen) for all sessions initiated through its PAM solution in the form of frames, and can be replayed as a DVR video. Offers an advanced command logging for SSH-based sessions. Form Factor: The Arcos PAM Suite is available as software for Windows and Linux, physical appliance, virtual appliance for VMware or as cloud-hosted SaaS. Integration: Out-of-the-box ITSM integration with BMC Remedy. Differentiators: Multitenancy and multidomain authentication features help in providing seamless access for IT service providers and cloud-based infrastructure providers over a centralized architecture. Advanced PAM features for databases. Enhanced reporting and analytics module, which provides live dashboard. Market Brief: Small market share, mostly Asia/Pacific, the Middle East and North Africa. Banking and securities, telecommunications and IT services industry organizations make up a large share of sold licenses. BalaBit Solution Brief: BalaBit offers Shell Control Box (SCB), a PSM and monitoring system with some lightweight SUPM functionality. It acts as a proxy gateway between privileged users and systems, and supports several protocols: SSH, Telnet, TN3270, RDP, Citrix ICA, X11, SCP, SFTP, HTTP, HTTPS and VNC. SCB offers a range of functionality (gateway authentication, authorization, access control, real-time alerts, auditing, forensics, reporting) for every system using these protocols. When monitoring traffic of these protocols in real time, SCB can send alerts or block the connection if a certain pattern appears in the command line or on the screen. SCB supports proxy authentication, where an administrator authenticates to SCB with his/her credentials, and SCB will then establish a connection to the target system, using a stored credential from a vault. Optionally, a four-eyes principle (dual control) can be enforced, where an approver will need to authorize a session before it happens, and can watch or even terminate the session while it is being executed. Gartner, Inc. G Page 11 of 27

12 Form Factor: The solution is delivered as a physical or virtual appliance for Microsoft Hyper-V and VMware ESXi server 4 or later. Integration and Partnerships: Support for multiple hardware security modules (HSMs). Partnerships with Dell, Lieberman Software and Thycotic: SCB can use Lieberman Software's EPRM or Thycotic's Secret Server as a vault. Differentiators: Extensive session transcription functionality including OCR capabilities to log metadata about administrator actions in graphical user interfaces. All of this metadata is recorded into searchable audit trails, making it easy to find relevant information in forensics or other situations. Market Brief: Medium market share. Focused on Europe and Asia/Pacific, with reseller and integration partnerships in these areas that are generating revenue. Very small presence in the U.S. Top vertical industries are government, banking and securities, telecommunications and IT services. BeyondTrust Solution Brief: BeyondTrust offers a complete PAM portfolio consisting of: PowerBroker Password Safe (SAPM, PSM) PowerBroker for Unix and Linux (SUPM and session monitoring) PowerBroker for Windows (SUPM and session monitoring) PowerBroker Identity Services (AD bridging) Form Factor: PowerBroker Password Safe is delivered in a high availability (HA) configuration as a physical or virtual appliance, or a combination. All other products are available as installable software for their respective operating systems. Integration and Partnerships: Out-of-the-box integration with BMC Remedy. Integration with more than 20 SIEM systems through the bundled BeyondInsight product. Differentiators: BeyondTrust provides additional functionality for cloud environments, such as autodiscovery, in-depth inventory across Amazon AWS, VMware vcenter, GoGrid, Rackspace and IBM SmartCloud environments. Also, the company bundles its BeyondInsight IT Risk Management Platform at no additional charge with its PAM products. BeyondInsight adds context-aware security intelligence capabilities, asset discovery, reporting and analytics, workflow and ticketing, as well as alerting. Market Brief: Large market share. Worldwide presence through partnerships. Most customers in North America, followed by EMEA. Banking and securities and retail organizations make up a significant share of the company's customers. CA Technologies Solution Brief: CA Technologies offers comprehensive features across all aspects of PAM: Page 12 of 27 Gartner, Inc. G

13 CA ControlMinder (SAPM, SUPM, AAPM, AD bridging, reporting) CA ControlMinder Shared Account Management (password management for privileged accounts) CA ControlMinder for Virtual Environments (privileged identity management for hypervisor and virtual machines) CA Session Recording: PSM/monitoring CA User Activity Reporting for privileged access Form Factor: All products are delivered as installable software, except for CA ControlMinder for Virtual Environments and CA User Activity Reporting, which are delivered as a virtual appliance for VMware. Integration and Partnerships: Out-of-the-box integration with CA User Activity Reporting (embedded), CA Session Recording and LogRhythm. In terms of ITSM integration, ControlMinder integrates with CA Service Desk Manager. OEM partnerships with HyTrust (included in CA ControlMinder for Virtual Environments) and ObserveIT (CA Session Recording and CA Session Recording for Shared Account Management). Integration with GovernanceMinder to provide certification of who has access to shared accounts, and integration with CA IdentityMinder for shared account management of systems managed by IdentityMinder. Differentiators: Fine-grained SUPM for Unix/Linux and Windows based on a kernel module, and a centrally managed sudo replacement. Market Brief: Large market share. Global footprint across all geographies. Top vertical industries in terms of revenue are banking and securities, telecommunications, government and utilities. Centrify Product Brief: The Centrify Server Suite offers AD bridging, SUPM functionality and host-based/ gateway-based monitoring for Windows, Unix and Linux systems. AD bridging and SUPM functionality require an agent to be installed on all managed systems. For Unix and Linux systems that cannot be fitted with a Centrify agent, a special network information service (NIS) service or Lightweight Directory Access Protocol [LDAP] proxy service can be made available. Monitoring functionality can be deployed as a host-based or proxy-based solution, with the company indicating that most customers prefer the host-based approach. Instead of allowing access only via a gateway, the solution by design allows administrators to connect to machines directly. For additional control, the solution can prevent access from unauthorized systems. This is in addition to user-based controls. Form factor: The Centrify Server Suite is delivered as installable software for Windows, Unix and Linux. Gartner, Inc. G Page 13 of 27

14 Integration and Partnerships: Lieberman Software for SAPM and Thycotic for SAPM and AAPM. Centrify offers Insight, a packaged application for Splunk that provides real-time visibility into the management of, and access to, protected systems. Centrify also has out-of-the-box integrations with cloud and help-desk-based systems including Zendesk, ServiceNow and salesforce.com. Differentiators: Centrify adds optional federation capabilities through its companion product, Centrify User Suite, which is offered as a service and allows cloud SSO for users and administrators. Market Brief: Medium market share. Centrify has an extensive global network of reseller partnerships, although the majority of licenses are sold in the U.S. CyberArk Product Brief: The CyberArk Privileged Account Security solution offers comprehensive functionality across PAM SAPM, SUPM and PSM capabilities across Unix, Linux and Windows. SUPM also supports an extensive list of network devices. Enterprise Password Vault (EPV) provides SAPM capabilities Application Identity Manager (AIM) provides AAPM capabilities, with special integration modules for several Java application servers Privileged Session Manager (PSM) establishes a single-access control point and real-time monitoring On-Demand Privileges Manager (OPM) implements SUPM for Unix and Linux systems CyberArk also offers OPM for Windows, an OEM version of Avecto Privilege Guard Privileged Threat Analytics analyzes and provides alerts on suspicious privileged user behavior to enable a quick response Form Factor: EPV and PSM are sold as software, physical or virtual appliance, other products as software for the respective operating systems. Integration and Partnerships: Two-way integration with HP ArcSight, RSA NetWitness, IBM QRadar and Intel/McAfee. Data is fed into SIEM, and consumed from SIEM. OEM relationship with Avecto, where CyberArk resells Avector Privilege Guard branded as OPM for Windows. Out-of-the-box integration with BMC Remedy, HP and ServiceNow. APIs available for workflow integration. Differentiators: Multitenancy features permit the vault to contain separate "safes" that can be individually assigned without a common administrator. Location-based access controls can further segregate various safes into different locations. Market Brief: Large market share. Strong market presence in North America and EMEA. Lesser presence in Asia/Pacific. Banking and securities and IT services organizations represented Page 14 of 27 Gartner, Inc. G

15 particularly strong within customer list. CyberArk is the company that comes up most in inquiries from Gartner clients. Dell Product Brief: Dell delivers these PAM products: Privileged Password Manager (SAPM) Privileged Session Manager provides PSM and proxy-based SUPM capabilities Privileged Access Suite for Unix is delivered as software and provides host-based AD bridging, SUPM, monitoring and logging features for Unix and Linux systems For Privileged Access Suite for Unix, Dell offers two variants a richer-featured replacement for the sudo command, or an augmentation of the standard sudo. Form Factor: Privileged Access Suite for Unix is delivered as software for Unix and Linux, all others as a physical appliance. Integration and Partnerships: Integration of SAPM and PSM functions with Dell One Identity Manager to provide extended privileged IGA capabilities. Differentiators: Dell offers customers options to license SAPM, PSM and gateway-based SUPM on a per-administrator or per-server basis (in addition to the fixed price for the appliance). According to the company, only one in 12 customers require professional services to deploy the product. Market Brief: Large market share. Particular growth in EMEA. IT services industry and banking and securities lead the way for Dell PAM bookings. Hitachi ID Product Brief: Hitachi ID's Privileged Access Manager provides SAPM, AAPM and PSM functionality. Unique features exist around the concept of temporary group assignments. This allows a user to temporarily elevate the privilege level. Also, a user's public SSH key can temporarily be placed into a trusted keys file of a functional account that is equipped with sudo privileges. PSM is delivered using ActiveX components and does not require proxies, gateways or software installations on managed systems. SSO also happens via ActiveX credential injection. This requires administrative access to be made from Windows systems only. Alternatively, users on non- Windows systems can connect to a Citrix or Windows Terminal Services intermediate system and launch an SSO connection from there. Autodiscovery functionality can probe systems in a massively parallel fashion and apply rules to decide whether a system should be managed, which accounts should be managed and which security policy should apply. Gartner, Inc. G Page 15 of 27

16 Form Factor: The solution is delivered as software for Windows, virtual appliance or as SaaS. Integration and Partnerships: Out-of-the-box integration with 10 different ITSM systems. Differentiators: Extensive support for multitenancy. Advanced active-active clustering for high availability, scalability and instant recovery without downtime. Features for handling systems that are often disconnected (laptops). Data-masking features for session playback. Workflow capabilities for auditors to require approval to search/view sessions. Market Brief: Small market share. Most customers in North America, modest presence in EMEA and small presence in Japan. Banking and securities and telecommunications organizations are strongly represented among Hitachi ID's customers. IBM Product Brief: IBM Security Privileged Identity Manager (PIM) provides SAPM capabilities. Privileged Session Recorder covers simple agent-based session monitoring. The solution is based on IBM's enterprise SSO (ESSO) and IGA functionality. Alternatively, IBM has a partnership with ObserveIT for more-advanced requirements. IBM Security Privileged Identity Manager includes a full license to Cognos Business Intelligence, and ships a number of out-of-the-box reports and dashboards that provide privileged analytics capabilities, such as usage patterns and histories. Form Factor: Software, virtual appliance, hosted/managed service. Management component runs on Windows, Unix or Linux. According to the company, most new customers choose the virtual appliance. Integration and Partnerships: Partnerships with ObserveIT for advanced monitoring, and Prolifics for service account governance. IBM's solution integrates with BCM Remedy and IBM SmartCloud Service Center (formerly Tivoli Service Request Manager). There is also an integration with IBM QRadar Security Intelligence, IBM's SIEM product, which collects PIM audit logs and can correlate checkin/check-out events against other related events on the endpoint to detect out-of-process access. Differentiators: Full rights to IBM Security Identity Manager (ISIM) for licensed privileged users are included in the solution, and provide privileged identity governance and administration. Market Brief: Medium market share. Most growth and interest is coming from Southeast Asia, followed by North America and EMEA as a distant third. Telecommunications, banking & securities, retail and healthcare organizations are leading revenue growth. Lieberman Software Product Brief: Lieberman Software's Enterprise Random Password Manager (ERPM) provides SAPM capabilities that include system and account discovery, identity correlation, password management and vaulting features. Discovery features go deep, and include services and applications on multiple operating systems, as well as hypervisors and guest machines, including cloud-hosted VMs. Page 16 of 27 Gartner, Inc. G

17 Form Factor: Available as software for Windows and virtual appliance image. ERPM is also available as a cloud offering via Microsoft Azure (hybrid cloud), and can also be installed and used in private cloud. Integration and Partnerships: ERPM can be supplemented with products offered in partnership with BalaBit, ObserveIT, Raytheon, Viewfinity and FoxT to add PSM and SUPM capabilities. ITSM integrations with Microsoft SCSM, BMC Remedy, ServiceNow, HP Service Manager, OTRS and Jira directly or through its event sink system, offering validation of ticket data to confirm a user's access to relevant assets. Differentiators: ERPM is strong in service account discovery, especially beyond service accounts used by Windows Services and Tasks. ERPM is certified by SAP to manage privileged credentials with SAP. Market Brief: Medium market share. Strong presence in North America, followed by Europe at a distant second place. Top 5 industry verticals for ERPM's growth and interest have been banking and securities, telecommunications, energy resources and processing, utilities, government, and IT services. ManageEngine Product Brief: ManageEngine Password Manager Pro (PMP) is a SAPM and PSM solution packed as one product. It forms part of the ManageEngine suite of more than 24 products for IT management. For privileged session management, the product acts as a gateway for launching Windows RDP and SSH sessions from the user's browser. All sessions are recorded, and playback, as well as session shadowing, is supported the playback functions are very basic. AAPM functionality is also part of the offering. PMP provides three types of API (SSH-CLI, XML- RPC and REST) that the applications and scripts can use to retrieve the passwords they need, thereby eliminating the need to hard-code them. Form Factor: Available as software for Windows or Linux. Integration and Partnerships: PMP offers session-recording capabilities through OEM versions of Remote Spark for Windows RDP and Maverick SSH Tools for SSH and Telnet. Differentiators: Multitenancy features. PMP features secure online and offline mobile access through native apps for ios and Android. The software is one of the most inexpensive options when compared to others; however, it lags behind in some features. Market Brief: Small market share. Strong growth in North America, Australia and several European markets. Particular interest from banking and securities organizations, followed by IT services enterprises. Gartner, Inc. G Page 17 of 27

18 MasterSAM Product Brief: MasterSAM offers a combination of its Privileged Password, Privileged Access and Granular Access Control modules for SAPM, AAPM and SUPM. SAPM operates via manual password retrieval or as a gateway with proxy autologin to perform privileged operations. SUPM provides escalation of user privileges and granular control via a configurable blacklisting and whitelisting mechanism. MasterSAM offers host- or gateway-based surveillance monitoring and recording to supervise, control and respond to privileged session activities. An analytical engine provides analysis for recorded privileged sessions. Form Factor: Available as software for Windows and Linux. Integration and Partnerships: Offers out-of-the-box integration with HP ArcSight and RSA Envision SIEM systems, BMC Remedy (ITSM) and NetIQ Identity Manager (IGA). Differentiators: MasterSAM has support for multitenanted cloud environments. Market Brief: Small market share. All of MasterSAM's revenue is generated out of Asia/Pacific. Banking and securities, utilities and government are the top contributors for MasterSAM's PAM growth and interest in the region. NetIQ Product Brief: NetIQ Privileged User Manager (PUM) provides command control by defining access rules based on user identity, host, command and time. The product provides integration with most systems (Unix, Linux and variants, Windows and network devices) that support SSH and RDP. It also supports integration with VMware ESXi and Hyper-V hypervisors. There are two modes of operation agent-based and agentless; 90% of NetIQ's customers opt for the former. For monitoring and controlling superuser (Root/Admin) access, an agent needs to be installed on the target system. SAPM capabilities are not offered. However, automated password change for service accounts can be achieved through NetIQ Identity Manager integration, which offers pull and push mechanisms for password synchronization, but does not offer password vaulting capabilities. Form Factor: NetIQ PUM is available in software and managed service options. Integration and Partnerships: Provides integration with NetIQ Identity Manager and NetIQ's Sentinel SIEM solution. Differentiators: The product offers a risk-analysis engine that performs analysis of privileged activities based on a risk score calculated according to user, host, type of command and working directory. NetIQ Cloud Security Services (NCSS) offers multitenancy and control of resources across multiple tenants. PUM-as-a service option available through NCSS provides privileged account control per tenant through the NCSS infrastructure. Page 18 of 27 Gartner, Inc. G

19 Market Brief: Medium market share. A significant portion of NetIQ's PAM revenue comes from the European market. Banking and securities, and the IT services industry are the top contributors for NetIQ's PAM growth and interest in the region. NRI SecureTechnologies Product Brief: NRI Secure provides these capabilities with its SecureCube Access Check product: SUPM: Restricts privileged access based on user, IP address, device and time. Also offers command filtering based on keywords defined in a policy file in the form of rules to allow access to systems. PSM: SecureCube Access Check offers text recording of Telnet, SSH and Transaction Network Services (TNS) sessions; keystroke and DVR- video recording for RDP sessions; text recording of command lists and transferred files for FTP, SCP, SFTP and CIFS. Although no search function is available for DVR recordings, text-recorded sessions can be searched for a number of logged informational attributes. Form Factor: Software for Red Hat Enterprise Linux 6.2 or later. Integration and Partnerships: Integration with BeyondTrust and NTT Software's password vaults (PowerBroker Password Safe and idoperation IM for Access Check, respectively) to offer SAPM and managed system logins. Out-of-the-box integration with Splunk and LogStorage SIEM systems. Differentiators: Provides access control and other PAM-related features for Oracle databases using TNS protocol gateway features. Market Brief: Small global market share, but sizeable market presence and strong sales execution in Japan, with a healthy growth rate. NRI Secure is targeting business expansion within the Asia/ Pacific region. Manufacturing and Natural Resources, and banking and securities are the top vertical industry segments where NRI Secure has most of its growth and interest. ObserveIT Product Brief: ObserveIT offers a PSM solution that provides comprehensive session recording and analysis of on-screen activity. Additionally, system calls can be logged as well. Session recordings are transcribed into an activity index (summary). Detailed session data is also available for free-text search. Search results are linked to the specific point of interest in the videorecorded session. The logged session summary contains information on names of applications and commands run, URLs accessed, as well as UI events, such as text entered (typed, edited, pasted, selected, autocorrected, etc.), titles of windows opened, checkboxes clicked, combo list values selected, etc. Administrators can configure real-time alert triggers based on complex combinations of user action, environment and context, ensuring early warning of human error and malicious actions. Recording Gartner, Inc. G Page 19 of 27

20 policies can control which applications, users and activities are subject to recording. The solution is agent-based, but also allows a gateway approach where an agent is installed on a gateway that controls access to target systems. Form Factor: On-premises software for Windows and most Unix and Linux distributions, or cloudhosted service. Integration and Partnerships: Provides integration with several SIEM and log management tools by providing detailed analysis of recorded sessions and user activity correlation. Also offers integration with six ITSM products including ServiceNow, ServiceDesk and Remedy. Differentiators: Comprehensive logging and session transcription features across multiple platforms. Provides integrated offering with cloud providers Amazon AWS Enterprise Marketplace and IBM Software Enterprise Marketplace. Market Brief: Small market share for PAM products, but sizeable market share for stand-alone PSM products. Several PAM vendors have partnered with ObserveIT to resell the company's product in conjunction with their products. Revenue distributed globally, with EMEA and North America taking the largest percentage. Top industry verticals contributing to revenue and growth are banking and securities, healthcare providers and telecommunications. Oracle Product Brief: Oracle Privileged Account Manager (OPAM) is licensed as part of the Identity Governance Suite (IGS) and provides: SAPM OPAM changes the passwords on the target systems using same connectors available to the Oracle Identity Governance platform. Privileged accounts are discovered and identified through connectors. The connectors query the target systems and return a list of accounts on these systems. PSM OPAM Session Manager (OPSM) enables an elevated access to a target system through a proxy/gateway-like functionality. OPSM allows connections to authenticated user based on grants and policies. Session Management is currently supported for SSH clients only. OPSM monitors and records all printable output for each SSH session to maintain searchable historical records (transcripts). OPAM also supports change of service account passwords through push or pull mechanisms, but does not have AAPM functionality. As an alternative, applications can leverage Oracle Credential Store Framework (CSF) which is supported by OPAM out of the box via the push mechanism. Form Factor: Software for Windows, Unix and Linux systems. Integration and Partnerships: Integration with Oracle Identity Governance Suite for privileged identity governance and administration. Differentiators: OPAM is licensed as a part of the Identity Governance Suite, which can be licensed on a named user metric or processor metric. Page 20 of 27 Gartner, Inc. G

21 Market Brief: Small market share. OPAM is a new product, and its market share is evolving. Early adopters are using the product in the U.S., Western Europe and Brazil, and are from banking and securities, government, telecommunications and IT services. Raz-Lee Security Product Brief: Raz-Lee Security's isecurity software suite offers a comprehensive security solution, including PAM capabilities for IBM i (AS/400, iseries) environments. isecurity runs on the IBM i platform, from release 5.4 to latest (7.2). It consists of 20 tools, some of which provide password policy management and PAM capabilities. SUPM Provided by the tools Audit, Command and Authority on Demand. PSM Offers auditing, keystroke recording and screen image capturing of privileged user sessions. Text search is supported. In addition to syslogs, keystrokes and screen image capturing, Audit monitors all system journal (QAUDJRN) activities and can issue real-time alerts, via Action, based on predefined alerts. A report generator and scheduler are also part of isecurity. Form Factor: The solution is delivered as multiple software modules for IBM i. Differentiators: Raz-Lee Security's isecurity is focused exclusively on IBM i. Market Brief: Small market share within PAM, due to specialization on the IBM i SUPM niche. Top contributing industry verticals for Raz-Lee Security are banking and securities and healthcare providers. Thycotic Product Brief: Thycotic's Secret Server is a Web-based password management tool offering: SAPM In addition to several platforms, systems, network devices and databases, password management is also available for website accounts (including Windows Live, Google and Amazon). It provides an option of customizable data templates and file uploads to the vault. AAPM Offers several APIs (Web service, application and Web config API) to eliminate hardcoded passwords in applications and scripts. PSM Offers recording of all sessions using its session launcher (except website logins). Fully searchable keystroke and command log data, but only basic replay functionality. Form Factor: Software for Windows or SaaS version (Secret Server Online, providing vaulting and team sharing functionality). Integration and Partnerships: Integration with HP ArcSight SIEM, Tenable, LogRhythm and Splunk. Thycotic has partnered with BalaBit to extend its portfolio with full PSM and partial SUPM capabilities provided by BalaBit's SCB, as well as with Centrify for AD bridging. Gartner, Inc. G Page 21 of 27

22 Differentiators: Secret Server offers organizations authenticated vulnerability scanning, while keeping credentials secure and audited through a technology alliance with Qualys. Market Brief: Small market share. Secret Server finds most growth and interest in North America, followed by EMEA. Top vertical industries include IT services, banking and securities, retail and healthcare providers. Wallix Product Brief: Wallix AdminBastion (WAB) offers PAM capabilities with these capabilities: SAPM: WAB provides basic SAPM capabilities and can manage passwords for Windows, Unix and Linux systems, as well as Cisco network devices. SUPM: WAB supports context-sensitive command filtering within interactive session using advanced regular expressions, which enables WAB to filter user activity based on the context. PSM: WAB offers keystrokes and an OCR-based DVR session videorecording, which enables search capabilities and real-time SIEM feeds for graphic sessions. WAB offers an agentless architecture based on a proxy server installed between users and target systems to manage privileged identities. It directly supports SSH v2, RDP, VNC, Telnet, rlogin, SFTP and SCP protocols. An additional Microsoft TSE server installation (with separate license) is required to integrate with business applications, databases or iseries-z/os devices. Form Factor: Physical or virtual appliance. Integration and Partnerships: Partnership with Lieberman Software for advanced SAPM capabilities. Differentiators: Extensive PSM functionality with advanced OCR capabilities for graphical user interfaces, combined with searchable audit trails. Market Brief: Small market share. Wallix has majority of its clients in Europe, with some presence in the Middle East, Africa and Asia/Pacific. Top vertical industries comprising Wallix's customer base are banking and securities, government, healthcare providers and energy resources and processing. Xceedium Product Brief: Xceedium offers Xsuite as an integrated PAM product, offering these capabilities: SAPM: Xceedium's Credential Safe provides for central administration, storage, release, and audit of credentials. Xsuite uses a target connector framework to manage credentials on most systems. The connector framework is extensible, allowing for the addition of customized connectors. Page 22 of 27 Gartner, Inc. G

23 AAPM Xsuite offers an API-based AAPM component the Requestor, which is compiled into the application code and uses an application-to-application client installed on the server to provide AAPM functionality. SUPM Xsuite uses a command control model that is based on the specific rights and permissions associated with a given user's account, as well as specific blacklist/whitelist command filters. It also supports leapfrog prevention and lateral movement of privileged users within a network with the help of installed socket filter' and blacklist/whitelist approach. PSM Xsuite offers internally developed privileged session management and recording capabilities. User activity is recorded and logged with a DVR-like recording for RDP/VNC sessions, Web application sessions and SSH/CLI sessions. Form Factor: Xsuite is delivered as a hardware appliance, an AWS Amazon Machine Image (AMI), or a VMware Virtual Appliance. Integration and Partnerships: Xsuite integrates with BMC's Remedy ITSM solution, and ncircle Configuration Compliance Manager. Differentiators: In addition to supporting on-premises data center resources, Xceedium has partnered with leading cloud vendors to develop Xsuite extensions, providing unique SUPM capabilities and integrations for specific cloud platforms, including AWS, VMware, and Microsoft (Office365). Market Brief: Medium market share. The majority of Xceedium's customers are within North America. Top vertical industries are government, retail, and banking and securities. Market Recommendations PAM tools cover a wide spectrum of capabilities and will help address significant gaps around the control of administrative account usage. SAPM and gateway-based PSM tools are the easiest to deploy, and 82% of customer references indicated that they deployed those tools without the help of an integrator. Host-based PSM tools offer more-detailed information, but require agents to be installed on systems, increasing the time of deployment and maintenance cost. This is followed by AD bridging tools and host-based SUPM tools that allow fine-grained command filtering capabilities. Installation of SAPM tools can typically be achieved in weeks, or sometimes even days. However, discovery of privileged accounts and their use continues to be a major challenge for organizations, and is expected to take a considerable effort. Some vendors differentiate themselves by offering features to scan for, and discover accounts in a programmatic way. This can greatly reduce the time and effort but remember that this is an inexact science, and many privileged accounts will likely fall through the cracks of autodiscovery and will need to be discovered through other mechanisms (see "How to Manage Authentication and Credentials for Software Accounts"). Gartner, Inc. G Page 23 of 27

24 SUPM can be used in a preventative or detective mode. In preventative mode, command control is used to limit administrator actions. While this looks promising, it is very difficult to carry this out in practice to its fullest extent. It requires a delicate balance of allowing an administrator to have just the right set of commands to carry out the required work, versus not foreseeing or disallowing commands that may still be needed less frequently. Analytics tools to help create and maintain SUPM policies, blacklists and whitelists are lacking. Given the cost of SUPM tools, organizations should weigh the possibility of deferring an investment into command control tools unless they have a clear idea on how to create and maintain SUPM policies. Gartner recommends that customers assess their existing privileged account management capabilities, identify gaps and prioritize investment in new PAM capabilities based on the assessment. While PAM suites are available that cover a broad range of capabilities, point solutions exist and can, in some cases, supplement existing gaps, or be used in combination for those that favor a best-of-breed approach. Evaluate multiple vendors for capabilities and pricing because of the large range in pricing between vendors (see Appendix section). Gartner clients are encouraged to make use of inquiries for guidance on pricing and capabilities. Appendix Vendor Revenue The top four vendors, grouped by revenue (see Table 1 Figure 3), accounted for more than 58% of the total PAM market in No vendor represented more than 20% of total revenue in As consolidation of PAM modules continue, smaller vendors will focus on delivering functionalities and strengths specific to their specialized offerings. The small-market players contribute to 14.2%.52% of total 2013 market revenue share, nearly half of midmarket players' contribution, which stands at $122.1 million of total 2013 annual revenue. Table 1. PAM Vendor Revenue by Market Share 2013 Total Revenue 2013 Revenue by Market Share Revenue Share, 2013 Less than $10 Million $63.5 Million 14.2% $10 Million to $50 Million $122.1 Million 27.3% More than $50 Million $261.7 Million 58.51% Total $447.3 Million % Source: Gartner (June 2014) Page 24 of 27 Gartner, Inc. G

25 Figure 3. PAM Vendor Revenue by Market Sector Source: Gartner (June 2014) PAM Pricing by Scenario Gartner asked all vendors covered in this Market Guide to provide pricing information for three scenarios. Because of the large differences in features and modules, we restricted our comparison to offerings that included full SAPM capabilities. Eight vendors were included, and they included at least a basic set of PSM capabilities in the offer. The average price calculated does not take into consideration the differences between offers that included hardware appliances, and some were delivered as software only. Among all deployment scales we studied, the prices vary most significantly for large-scale deployments, with more than a scale of magnitude between the lowest and the highest offer. The average prices (see Table 2) for the three scenarios are perpetual license prices, and include support and maintenance for the first year Gartner, Inc. G Page 25 of 27

26 Table 2. Description of Gartner PAM Scenarios With Average Pricing Deployment Sizes Small-Scale Deployments 100 Systems 25 Administrators 500 Admin/Service Accounts 1 Data Center With High Availability Medium-Scale Deployments 1,000 Systems 100 Administrators 5,000 Admin/Service Accounts 2 Data Centers With High Availability Large-Scale Deployments 5,000 systems 350 administrators 50,000 admin/service accounts 4 Data Centers With High Availability Average Price $51, $139, $390, Source: Gartner (June 2014) Gartner Recommended Reading Some documents may not be available as part of your current Gartner subscription. "How to Manage Authentication and Credentials for Software Accounts" "Ten Best Practices for Managing Privileged Accounts" "Adopt a Strategy to Deal With Service and Software Account Passwords" Page 26 of 27 Gartner, Inc. G

27 GARTNER HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT USA Regional Headquarters AUSTRALIA BRAZIL JAPAN UNITED KINGDOM For a complete list of worldwide locations, visit Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner s prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity. Gartner, Inc. G Page 27 of 27